Current Event: Security Vulnerability in Safari RSS
According to the open source programmer Brian Mastenbrook, he has found a security flaw in Safari Rss feeds. He said that Apple’s Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user’s hard drive without user intervention. The vulnerability affects both Mac and Windows versions of Safari. This can be used to gain access to sensitive information stored on the user’s computer, such as emails, passwords, or cookies that could be used to gain access to the user’s accounts on some web sites.
Mastenbrook reports that all users of Mac OS X 10.5 Leopard who have not changed their feed reader application preference from the system default are affected, regardless of whether they use any RSS feeds or use a different web browser (such as Firefox). Users of previous versions of Mac OS X are not affected. Users of Safari on Windows are also affected. Users who have Safari for Windows installed but do not use it for browsing are not affected.
Although the vulnerability has been acknowledged by Apple, Apple has not made information available on when a fix for this issue will be released.
Threrefore, Mastenbrook recommends users not to use the Safari as a default RSS reader.
For Mac users,
1. Open Safari and select Preferences… from the Safari menu.
2. Choose the RSS tab from the top of the Preferences window.
3. Click on the Default RSS reader pop-up and select an application other than Safari.
For Windows users, use a different web browser.
For more information at http://brian.mastenbrook.net/display/27
Comment by dannya
January 14, 2009 @ 1:48 am
Nothing is more suspicious to me than a security website recommending installing a third-party tool to fix a vulnerability, although this may not be an issue in this case.
Hopefully Apple patches this soon so I can reconnect my internet.
Comment by Ryan McElroy
January 16, 2009 @ 2:40 pm
This is a particularly interesting exploit because it seems that it could be exploited without any user intervention. For example, if someone already subscribes to an RSS feed you control or you have gained access to using Safari (a fact you can discover by checking web server logs), you can change the RSS feed and the next time the user checks their RSS feed, you can execute arbitrary code on their machine. This makes popular blogs or news sites particular targets. Since the exploit only has to occur once, DNS spoofing may also lead to this attack occurring almost without any user intervention (other than simply starting Safari!) Definitely a major hole that Apple should address in a timely fashion.